Block spoofing emails

We are using UTM as our mail gateway, lately, a lot of our users have received spoofing emails that appear from themself.

We use emailspooftest dotcom site to test our mail servers, and it detects the problem was

Internal authentication is not enforced.

Fix: On inbound email gateways, only allow specific IP addresses to send mail from internal domains or force an auth challenge for internal domains. This is typically a relay setting.

Could anyone suggest how to fix this problem in Sophos?

Top Replies

JosefBergmann over 1 year ago in reply to Johnny Long +1

Ok so you use "Softfail" (~all) in your SPF-policy, these will not stop the spoofed mail on the UTM. More details see here Sophos UTM: Enable Sender Policy Framework (SPF) "... Your SPF record should…

Parents

JosefBergmann over 1 year ago

Hi,

I recommend setting SPF-records for your domain and enabling "Perfom SPF check" in SMTP->Antispam.

bye Josef

BERGMANN engineering & consulting GmbH, Wien/Austria
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Johnny Long over 1 year ago in reply to JosefBergmann

Hi Josef, thank you for your reply.

SPF is always enabled and records are update-to-date, this seems to be an open relay problem in UTM.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
dirkkotte over 1 year ago in reply to Johnny Long

can you show us your smtp/relaying configuration?

please hide your domain names...

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Johnny Long over 1 year ago in reply to dirkkotte

Thank you for your reply, are you referring to this page?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
dirkkotte over 1 year ago in reply to Johnny Long

Config looks ok.

You should do an "open-relay-test" (included here https://mxtoolbox.com/diagnostic.aspx ) and check the mail-log afterwards.

You should see "relay not permitted" for the mail from supertool@mxtoolboxsmtpdiag.com to test@mxtoolboxsmtpdiag.com

... but your mailsystem is configured to receive mail for users within your domain ... and it don't check if the sender is from your domain too. (may be, anoter location of your domain send the mail .. this may be ok)
If you activate SPF-check and SPF is configured ok and there is no exception ... the system should not accept mails from mail servers not included within the SPF-record.
You may PM me your domain and i will check the SPF record.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel

Reply

dirkkotte over 1 year ago in reply to Johnny Long

Config looks ok.

You should do an "open-relay-test" (included here https://mxtoolbox.com/diagnostic.aspx ) and check the mail-log afterwards.

You should see "relay not permitted" for the mail from supertool@mxtoolboxsmtpdiag.com to test@mxtoolboxsmtpdiag.com

... but your mailsystem is configured to receive mail for users within your domain ... and it don't check if the sender is from your domain too. (may be, anoter location of your domain send the mail .. this may be ok)
If you activate SPF-check and SPF is configured ok and there is no exception ... the system should not accept mails from mail servers not included within the SPF-record.
You may PM me your domain and i will check the SPF record.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel

Children

Johnny Long over 1 year ago in reply to dirkkotte

Hi dirkkotte,

I can confirm the SPF is configured ok, we tested it many times on different testing sites and there are no issues.

I did the "open-relay-test" as you suggested, which seems to be an open relay, any suggestions on how to fix it in UTM, our MX records are all pointing to the UTM 9 server
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
dirkkotte over 1 year ago in reply to Johnny Long

This kooks like my installations.

Please check the UTM-Mail-log (within mail-manager). There i have "blocked - relay not permitted"

Do you really activate SPF filtering at UTM?

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Johnny Long over 1 year ago in reply to dirkkotte

Yes, SPF filter is enabled
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Johnny Long over 1 year ago in reply to dirkkotte

I cannot see "blocked - relay not permitted" in Mail Manager.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Florian Gall over 1 year ago in reply to dirkkotte

just send an email from an external source as postmaster@yourdomain through the firewall and you have your open relay... no checks at all will be applied...
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
dirkkotte over 1 year ago in reply to Johnny Long

Which result do you see for the mail from supertool@mxtoolboxsmtpdiag.com to test@mxtoolboxsmtpdiag.com ?

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Johnny Long over 1 year ago in reply to dirkkotte

The results show as

SendSMTPCommand: You hung up on us after we connected. Please whitelist us. (connection lost)
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel